A lot of security work starts the same way. Something hands you an indicator: an IP

out of a firewall log, a file hash off an alert, a domain from an email that did not

feel right. Before you can do anything with it you have to answer two questions. Is

it bad, and what is it connected to?

The usual way to answer that is by hand, one tab at a time: